Developers Can Immediately Check Federal Software Applications for Open Source Vulnerabilities
Fulton, MD - December 10, 2014 - Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application Health Check to immediately alert federal agencies and software suppliers about known vulnerable open source components and where they exist within an application.
While the use of open source components has dramatically accelerated application development and release schedules, poor knowledge of the risks coupled with a lack of governance processes has resulted in millions of 3rd party and open source components with known vulnerabilities being built into software each year.
To address this pressing cyber security threat, the Chairman of the House Committee on Foreign Affairs Rep. Ed Royce (R-CA) and Rep. Lynn Jenkins (R-KS)introduced the Cyber Supply Chain and Transparency Act of 2014.* The purpose of the act is to help defend the U.S. government cyber infrastructure, and to help the Department of Homeland Security and other agencies carry out their cyber defense mandate. This proposed legislation simply states that any supplier of software to the Federal government must identify which 3rd party and open source components are used, and they cannot include known vulnerabilities (per the NIST NVD) for which a less vulnerable alternative is available.
From Chairman Royce's introductory remarks for the bill on the floor of the U.S. House of Representatives: "With around ninety percent of a modern software application made up of open source components, the problem of deployed software containing open source components with known vulnerabilities is one of great concern. The nation's economy needs open source software development and applications built with it. It is precisely because of the importance of open source components to modern software development, that we need to ensure integrity in the open source supply chain, so vulnerabilities are not populated throughout the hundreds of thousands of software applications that use open source components."
"We would not be willing to use a known bad airbag in our cars. We would not knowingly serve E.coli-tainted spinach in our salads. And we can not afford to include known exploitable software in our government infrastructure" said Wayne Jackson, CEO, Sonatype, Inc. "We're pleased that the U.S. Congress has taken this important first step. To help the agencies and their software suppliers quickly assess their impact, we are opening our Application Health Check to provide complementary analysis to document the components and known vulnerabilities that exist in their software."
Added Josh Corman, CTO, Sonatype, "Every modern industry with the potential to impact public safety has graduated to a mature supply chain. Our dependence on software now also commands this rigor. With weak software being the preferred attack vector, and more than a breach a week, the supply chain focus of this congressional action could have a profound impact on national security."
Sonatype's Application Health Check is available free of charge effective today. Please see Sonatype's Open Source Vulnerability Scanner to learn more and download the tool.
For related information please see:
- Cyber Supply Chain Security | Article by Paul Rosenzweig
(http://www.lawfareblog.com/2014/12/cyber-supply-chain-security/) - Reps. Royce, Jenkins to Shore Up Security of Government Used Software
(http://bit.ly/RoyceCyberSecurity) - Code, Cars, and Congress: A Time for Cyber Supply Chain Management | Blog by Wayne Jackson
(http://bit.ly/CyberSupplyChainBlog) - 2014 Application Security and Open Source Development Survey
(http://bit.ly/OpenSource14_Security)
About Sonatype:
Every day, developers rely on millions of third party and open source building blocks - known as components - to build the software that runs our world. Sonatype provides Software Supply Chain Management to ensure that only the best components are used throughout the software development lifecycle so organizations don't have to make the tradeoff between going fast and being secure. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit:www.sonatype.com
Tony Keller, The Walker Group, tkeller@walkerlimited.com